This bill enacts the Maine Consumer Privacy Act, which takes effect July 1, 2026. The Act regulates the collection, use, processing, disclosure, sale and deletion of nonpublicly available personal data that is linked or reasonably linkable to an individual who is a resident of the State, referred to in the Act as a "consumer," by a person that conducts business in this State or that produces products or services targeted to residents of this State, referred to in the Act as a "controller." Under the Act, a controller must limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which the controller processes that data, as disclosed in a privacy notice specifying the categories of personal data processed by the controller, the purposes for processing the personal data, the categories of personal data transferred to 3rd parties and the categories of 3rd parties to whom personal data is shared. A consumer has the right, under the Act, to confirm whether a controller is processing the consumer's personal data; to require the controller to correct inaccuracies in or delete the consumer's personal data; to obtain a copy of the consumer's personal data; and to opt out of the processing of the consumer's personal data for purposes of targeted advertising, sale or profiling in furtherance of decisions about the consumer's access to financial or lending services, housing, insurance, education, criminal justice, employment opportunities, health care services and essential goods and services. The privacy notice must describe how a consumer may exercise these rights. The controller must obtain the affirmative, informed consent of a consumer before processing the consumer's sensitive data, including data revealing the consumer's race or ethnic origins, religious beliefs, medical history or mental or physical health conditions or diagnoses, sexual orientation or citizenship or immigration status; genetic or biometric data used to uniquely identify an individual; precise geolocation data; data of a known child who has not attained 13 years of age; or data concerning the consumer's status as the victim of a crime. If the controller knows that the consumer has not attained 13 years of age, the controller may not process the consumer's data for any purpose without parental consent. If the controller knows or willfully disregards that the consumer is at least 13 years of age but has not attained 16 years of age, the controller may not process the consumer's data for targeted advertising and must obtain the consumer's consent before processing the consumer's data for sale. The Act prohibits a controller from processing data in a manner that discriminates against a person in violation of state or federal law. A controller is also prohibited from retaliating against a consumer for exercising the consumer's rights under the Act, except that a controller may offer different prices or selection of goods in connection with a consumer's voluntary participation in a bona fide loyalty or discount program. A controller must establish, implement and maintain reasonable data security practices. Beginning July
1, 2026, if a controller engages in a data processing activity that presents a heightened risk of harm to a consumer, including processing any data for targeted advertising, sale or profiling or any processing of sensitive data, the controller must conduct and document a data protection assessment to identify and weigh the benefits and potential risks of the processing activity. The controller may be required to disclose the data protection assessment to the Attorney General, who must keep it confidential, when the assessment is relevant to an investigation conducted by the Attorney General. The provisions of the Act do not apply to specifically enumerated persons, including the State, political subdivisions of the State and federally recognized Indian tribes in the State; financial institutions or their affiliates subject to the federal Gramm-Leach-Bliley Act that are directly and solely engaged in financial activities; state-licensed and authorized insurers that are in compliance with applicable Maine laws governing insurer data security and data privacy; and persons that both processed the personal data of fewer than 25,000 consumers in the preceding calendar year and derived no more than 25% of gross revenue from the sale of personal data. The Act also does not apply to persons that controlled or processed the personal data for purposes other than completing payment transactions of fewer than 100,000 consumers in the preceding calendar year, except that, beginning January 1, 2028, this exception applies only to persons that controlled or processed the personal data for purposes other than completing payment transactions of fewer than
50,000 consumers in the preceding calendar year. In addition, the provisions of the Act do not apply to specifically enumerated types of data, including: nonpublic personal information regulated under the federal Gramm-Leach- Bliley Act; health care information protected under the Maine Revised Statutes, Title 22, section 1711-C; protected health information under the federal Health Insurance Portability and Accountability Act of 1996; personal data regulated by the Family Educational Rights and Privacy Act of 1974; data processed and maintained by the controller regarding an applicant for employment or employee to the extent the data is collected and used within the context of that role; and data necessary for the controller to administer benefits. The Maine Consumer Privacy Act also does not prohibit controllers from engaging in specifically enumerated activities, including complying with state or federal law; complying with investigations or subpoenas from governmental authorities including the Federal Government and the government of a state or a federally recognized Indian tribe in the State; cooperating with federal, state or tribal law enforcement agencies; providing a product or service specifically requested by the consumer; protecting life and physical safety of consumers and preventing or responding to security incidents; and conducting internal product research, effectuating a product recall or performing other internal operations aligned with the expectations of a consumer. Violations of the Act may be enforced exclusively by the Attorney General under the Maine Unfair Trade Practices Act. Absent a showing of immediate irreparable harm, the Attorney General is required to provide a potential defendant with at least 30 days' notice
47 prior to initiating an enforcement action, during which time the potential defendant may
48 cure any violation alleged in the notice. Any civil penalties, attorney's fees or costs
49 awarded to the State for a violation of the Act must be deposited in the Maine Privacy Fund,
50 which is established to provide funding for the enforcement staff and activities of the
51 Department of the Attorney General. The Act further requires the Attorney General to
52 submit a report by February 1, 2027 to the joint standing committee of the Legislature
53 having jurisdiction over judiciary matters regarding the operation and implementation of
54 the Act. The committee may report out legislation related to the report to the 133rd
55 Legislature in 2027.